How to update LE without exposing port 80

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
avokado.crabat.no
I ran this command:

It produced this output:

My web server is (include version):
Apache/2.4.39 (Unix)
The operating system my web server runs on is (include version):
QTS 4.4.3
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

I’m using LE certificates when accessing internal web services from the internet through an Apache reverse proxy. both port 80 as well as port 443 on my WAN router/firewall is redirected to the Reverse Proxy.
When time comes for LE renewal, I need to close down the Reverse Proxy and manually redirect port 80 to the web server. This means that during that process, my entire LAN is exposed to the internet with no protection.
I understand that LE needs to verify ownership of my domains, but isn’t there a way to do this without:
a) The need to interrupt whatever current services already bound to port 80?
b) Exposing (opening) port 80 to the world?

Many thanks for any guidelines.

Hi @oywino

why so complicated? Use your reverse proxy directly.

Read

then

An open port 80 isn't a security problem if the configuration is ok.

If the configuration isn't ok, you should fix that.

Hi @JuergenAuer,
Please bear with me when (if) I expose my ignorance - My port 80 is permanently routed to my Reverse Proxy, and currently all attempts to renew fails, but of course all visitors to my sub-domains are correctly redirected. I have several active sub-domains in the form xxxx.crabat.no, yyyy.crabat.no, zzzz.crabat.no and so on. www.crabat.no does nothing.
You write Use your reverse proxy. I’d love to - I just don’t know how. Could you explain?
I read the articles you linked to (I recall having read them before also), but I didn’t find the answers I was looking for.
Currently I use Jlesage-NGINX-Proxy-Manager to generate the LE certificates.I’m not sure if that can be referred to as an ACME client (or not).

Well, it's going to depend on what you're using as a reverse proxy (which you haven't told us). Some of the smarter reverse proxy servers (e.g., Caddy or Traefik) handle TLS certificates on their own--in the case of Caddy specifically, you have to explicitly tell it not to do that. With other software, like Nginx, you'd need to use a separate ACME client to do that. But whatever software you're using, the environment that's running the reverse proxy is where the certs should be obtained, and would ordinarily be where TLS termination would happen.

4 Likes

Hi @danb35, I’m using Apache/2.4.39 as my Reverse Proxy, running on QTS 4.4.3 in a QNAP TS-251B
This Apache instance is included with the QTS OS as standard.

There are tons of options. But

  • these are not Letsencrypt problems, so outside of this forum
  • if you have root access, it's your job to create a working port 80 solution
  • if you are not firm with proxy solutions, first step: Start with a simpler thing, then do the next (proxy).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.